aws_iam_policy_document json changing

[hashibot]

This issue was originally opened by @joshuaspence as hashicorp/terraform#10853. It was migrated here as part of the provider split. The original body of the issue is below.

---

I've stumbled across a peculiar bug which I think has to do with the use of ignore_changes on a computed field. I am able to reproduce this bug using the Terraform configuration:

data "aws_iam_policy_document" "role" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["ec2.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "role" {
  name_prefix        = "${var.name_prefix}-"
  assume_role_policy = "${data.aws_iam_policy_document.role.json}"

  lifecycle {
    ignore_changes = ["name"]
  }
}

variable "name_prefix" {
  type = "string"
}

First, run terraform apply -var name_prefix=foo. Next, run terraform plan -var name_prefix=bar. Terraform shows the following changes to be applied:

~ aws_iam_role.role
    assume_role_policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}" => "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"sts:AssumeRole\",\n      \"Principal\": {\n        \"Service\": \"ec2.amazonaws.com\"\n      }\n    }\n  ]\n}"

[adamboritz]

I've run into this bug with using the data source for s3 bucket policies, which don't have lifecycle blocks.

[Hasgaroth]

I am getting this issue using TF 0.11.5.
It appears to be that the aws_iam_policy_document data resource is including line prefix padding and the "\r" line ending, but also putting the statement elements in a different order that AWS returns for an existing policy.

Working around this temporarily with an ignore_changes lifecycle policy for assume_role_policy on the role, which is not the best option, but it does work.

[garo]

Having the same problem with 0.11.7. I compared the before/after JSON objects and the two statements in them are in an opposite order, but beside that they are same and the change should not be reported.

[thejohnny]

Experiencing this issue with the following:

Terraform v0.11.3
+ provider.aws v1.9.0
+ provider.template v1.0.0

Using a module which creates an assume_role_policy via template. Created a gist with the relevant files from the modules.

https://gist.github.com/thejohnny/fc82fbac2b983468655cad7ff18affab

[shadycuz]

Also still have this issue, but we are on v11 =/

[yangningBU]

This issue is frustrating because it prevents us from having a "code only" deployment that short-circuits the confirmation to run terraform apply when there are no infrastructure updates, as this resource always registers as "changing"

[kitos9112]

This is indeed super frustrating - as per @yangningBU states, we cannot do short-circuits during our CD jobs as we're getting unnecessary TF applies happening in the background. A minor issue got to say, but annoying after all :)

[aaleksandrov]

We experience presumably something similar but in our aws_iam_policy_document compact function is used, so I assume it's a culprit in our case. Basicallt the same data source is used in 2 regions. In ap-southeast-1 all 7 lambdas exist but in us-east-1 only 6. The change in plan only shows up in us-east-1 plan.

data "aws_iam_policy_document" "ci_user_policy_document" {
  statement {
    actions = [
      "lambda:UpdateFunctionCode",
      "lambda:InvokeFunction",
      "lambda:PublishVersion",
      "lambda:GetAlias",
      "lambda:UpdateAlias"
    ]

    resources = compact([
      module.order-service-order-sns.order_service_sns_lambda_arn,
      module.order-service-order-status-sns.order_service_sns_lambda_arn,
      module.order-service-order-dead-letter.dead_letter_sqs_lambda_arn,
      module.order-service-order-status-dead-letter.dead_letter_sqs_lambda_arn,
      module.alb-lambda.alb_lambda_arn,
      module.gdpr-integration.gdpr-lambda-arn,
      module.order-service-payment-transaction-sqs.order_service_payment_transaction_sqs_lambda_arn
    ])
  }
}

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v5.43.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.